That cyber-heist of 2.9B personal records? There's a class-action lawsuit looming for that

Updated A lawsuit has accused a Florida data broker of carelessly failing to secure billions of records of people's private information, which was subsequently stolen from the biz and sold on an online criminal marketplace.

California resident Christopher Hofmann filed the potential class-action complaint against Jerico Pictures, doing business as National Public Data, a Coral Springs-based firm that provides APIs so that companies can perform things like background checks on people and look up folks' criminal records. As such National Public Data holds a lot of highly personal information, which ended up being stolen in a cyberattack.

According to the suit [PDF], filed in a southern Florida federal district court, Hofmann is one of the individuals whose sensitive information was pilfered by crooks and then put up for sale for $3.5 million on an underworld forum in April.

If the thieves are to be believed, the database included 2.9 billion records on all US, Canadian, and British citizens, and included their full names, addresses, and address history going back at least three decades, social security numbers, and the names of their parents, siblings, and relatives, some of whom have been dead for nearly 20 years. 

Compromised, published, and then sold on the dark web, due to defendant's negligent and/or careless acts

It's believed that a digital thief using the handle SXUL exfiltrated the files from National Public Data and then passed it along to a criminal gang that goes by USDoD, who acted as the data broker for the stolen goods and assured would-be buyers that none of the purloined info was scraped from public sources.

Hofmann, in the August 1 lawsuit, says he received a notice from his identity-theft protection service around July 24 notifying him that his personally identifiable information (PII) had ended up on the dark web. 

He claims he never provided this sensitive info to National Public Data and "believes that his PII was scraped from non-public sources by defendant."

In fact, the data broker scrapes PII of "potentially billions" of people, none of whom ever provided their information to National Public Data, the lawsuit, which references The Register's reporting, alleges. "By obtaining, collecting, using, and deriving a benefit from the PII of plaintiff and class members, defendant assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion," it notes.

And this is where National Public Data, allegedly failed miserably. The Florida firm stands accused of negligently storing the database in a way that was accessible to the thieves, without encrypting its contents nor redacting any of the individuals' sensitive information.

"This unencrypted, unredacted PII was compromised, published, and then sold on the dark web, due to defendant's negligent and/or careless acts and omissions and their utter failure to protect customers' sensitive data," the legal complaint alleges. 

And the stolen data, which can be used for identity theft, digital fraud, and even physical stalking and harassment, presents a "continuing risk to the victims" that "will remain for their respective lifetimes," the lawsuit claims.

• Crooks threaten to leak 3B personal records 'stolen from background check firm'
• TransUnion reckons big dump of stolen customer data came from someone else
• Sneaky SnakeKeylogger slithers into Windows inboxes to steal sensitive secrets
• CrowdStrike unhappy about Delta's 'litigation threat,' claims airline refused 'free on-site help'

Hofmann, on behalf of potentially millions of other plaintiffs, has asked the court to require National Public Data to destroy all personal information belonging to the class-action members and use encryption, among other data protection methods in the future.

The lawsuit also wants the background-check firm to implement an infosec program and employee training to help protect people's confidentiality, and it asks the judge to require that National Public Data hire third-party auditors and penetration testers to ensure that criminals can't break into its network and steal any more massive databases.

Additionally, it seeks unspecified monetary relief for the data theft victims, including "actual, statutory, nominal, and consequential damages."

We have sought comment from National Public Data. ®

Updated to add on August 12

Though there have been some leaks of portions of the stolen National Public Data collection here and there, someone has now started distributing for free via the dark web what's claimed to be 2.7 billion records from that collection, totaling nearly 280GB. This would include people's names, addresses, and Social Security Numbers.